Information technology infrastructure of a company, organization or other enterprise is continuously subject to a wide variety of security threats. For example, advanced persistent threats (APTs) represent a very sophisticated class of attacks against an enterprise. APTs are usually mounted by well-funded attackers with very specific targets. To accomplish their goals, attackers orchestrating an APT typically introduce periods of delay among different stages of the attack, advance slowly while keeping their footprint low, and control the propagation of the attack through the use of human operators.
An APT is therefore a long-duration and stealthy security threat that characteristically unfolds in a multi-stage process, with a significant interval of time between stages. Other factors that may contribute to the “low-and-slow” execution that is typical of APTs include the use of low-bandwidth covert channels, a human-directed command-and-control center, and orchestration of multiple vectors of compromise, some of which may be physical, human, political or military. A given APT may therefore combine several distinct types of attacks, such as zero-day attacks (e.g., exploitation of unpatched software vulnerabilities) and advanced social engineering attacks.
Conventional defenses against APTs are often deployed in an ad-hoc manner, without a global understanding of attackers' goals and the objectives of the enterprise under attack. Defending against APTs is further complicated by the fact that an increasing number of enterprises are reducing their costs by migrating portions of their information technology infrastructure to cloud service providers. For example, virtual data centers and other types of systems comprising distributed virtual infrastructure are coming into widespread use. Commercially available virtualization software such as VMware® vSphere™ may be used to build a variety of different types of virtual infrastructure, including cloud computing and storage systems, distributed across hundreds of interconnected physical computers and storage devices. Use of such cloud-based arrangements for at least a portion of the information technology infrastructure of a given enterprise can introduce additional challenges in defending the enterprise against APTs.